1 / 13

Secure Frame Format Proposal

Secure Frame Format Proposal. SFF: PAR, Architecture, 5 Criteria, Some ideas and notes mick_seaman@ieee.org. SFF Proposal : Agenda. Explain the key concepts behind the words of the PAR Describe the architectural fit of this component of the security solution

roch
Télécharger la présentation

Secure Frame Format Proposal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Frame Format Proposal SFF: PAR, Architecture, 5 Criteria, Some ideas and notes mick_seaman@ieee.org

  2. SFF Proposal : Agenda • Explain the key concepts behind the words of the PAR • Describe the architectural fit of this component of the security solution • Provide further material for the 5 criteria • Share some ideas about potential solutions and consequences Secure Frame Format Proposal

  3. Proposed Scope : Some words To define a secure frame format to ensure the connectionless confidentiality of MAC Service Data Units (MSDUs) and to ensure data origin identification and the connectionless integrity of the MAC frames that convey these MSDUs using a secure association between MAC layer entities providing the MAC Internal Sublayer Service (-1-) or the MAC Enhanced Internal Sublayer Service (-2-). This proposed standard will not include key management but will make use of other projects to establish the secure association. References: -1- IEEE Std 802.1D, -2- IEEE Std 802.1Q. Secure Frame Format Proposal

  4. SFF PAR Concepts Communication between: • Peer media access method independent MAC layer entities: • Providing ISS (.1D) or EISS (.1Q) With • Connectionless data integrity • Connectionless data confidentiality • Data origin authenticity Secure Frame Format Proposal

  5. Concepts : SFF Entities • Peers • Media access method independent • MAC layer entities MAC Service Boundary Media Access Method Dependent Functions Secure Frame Format Proposal

  6. Concepts : Internal Sublayer Service ISS = MAC Service + MAC SA, FCS, access priority EISS = ISS + VLAN ID MAC Service Boundary Media Access Method Dependent Functions Secure Frame Format Proposal

  7. Concepts : Connectionless data Connectionless Service Provision • Each service request is independent of any other • Delivery probability and ordering are aspects of QoS Connectionless Service Support • Each service request is supported by a single frame transmission, not a sequence of related frames • Frames are mutually independent • Agreed replay protection discussion is in PAR scope Secure Frame Format Proposal

  8. Concepts : Data integrity & confidentiality Data integrity • Covers MAC DA, SA, VID*, user priority*, user data • Does not cover MAC dependent fields Data confidentiality • Covers user data • Possible interworking issues between .1D + SFF and .1Q + SFF • Does not cover MAC DA, SA, VID*, user priority*, MAC dependent fields Secure Frame Format Proposal

  9. Concepts : Data origin authenticity Need to know which entity has ‘secured’ the data if not implicit at receiver, i.e. if ‘multihop’ or non-pt-to-pt • Integrity guaranteed • Confidentiality explicitly not provided • Facilitate management observation • Confuse or optimize with key identity? • Field may be absent if pt-to-pt single hop • Field may be absent, if logical pt-to-pt single hop? • System redundancy with LLID? Secure Frame Format Proposal

  10. Concepts : What’s not in Denial of service • BUT after known time deltaT has elapsed after any attack has ceased the system is guaranteed to recover from the DoS Secure Frame Format Proposal

  11. SFF Architecture (likely consequences 1) • Secure association end points map to Ports (.1D, .1X) • Uncontrolled and Secured/Authorized Ports • Address the bootstrap problem • In principle could have multiple Ports, each corresponding to a number of security associations MAC Service Boundary Media Access Method Dependent Functions Secure Frame Format Proposal

  12. SFF Architecture (likely consequences 2) Secure Frame Format Proposal

  13. Notes : On a frame format • DA, SA • SFF TAG • Key Identifier • Data Origin (Securing Party) Identifier • VLAN TAG (optional) • User data • Integrity Check Value optional Integrity optional Confidentiality Secure Frame Format Proposal

More Related